-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: point how to sign kernel module instead of disabling security #166
Comments
I don't see how self-sign module is going to help you. If you don't turn the kernel module signing on, you still have to be a root user to run I have no plan to update the documentation myself to encourage self-signing of kernel module, as I don't plan to do it myself, and I don't see the point. |
Mmh root access and signed modules are 2 distinct things. Moreover, it educates people about security. Never bad 🙂 |
Sorry, how do you know your self-signed kernel module would not compromise system security?
Compiling kernel module and installing it is very explicit already. Your custom kernel module is not going to compile itself and install itself to the correct location, and load itself automatically. If you are obliged by your company to turn on UEFI, then you probably would have to find out how to self-sign your kernel module. |
Sorry, how do you know your self-signed kernel module would not compromise system security?
Compiling kernel module and installing it is very explicit already. Your custom kernel module is not going to compile itself, install itself to the correct location, and load itself automatically. If a user is obliged by the company to turn on UEFI, then the user just have to find out how to sign your kernel module themselves... |
You do not know. Compile and install is explicit. Yes. I just feel disappointed to read "turn off security" to make it work. |
I think people who are concerned about turning it off knows what it does anyway. The blog posts you linked are not adequate for my purposes, because they don't seem to mention how it works with DKMS.
You still haven't explained how self-signed kernel module helps with security, when you have to explicitly load the kernel module anyway. If it is someone who cares about serious security, they would know their threat models, they would already make their own judgement on whether or not to turn off secure boot. |
Alright, I am now convinced that Secure Boot is a useful feature to have on, but I do feel giving instructions to users on how to set it up is beyond the scope of the project - I can't set it up properly myself! |
Hey @fangfufu ! I agree this is beyond the scope of your project.
|
Apparently Ubuntu signs the DKMS kernel automatically anyway, but I don't use Ubuntu myself. |
In the readme, you advice to disable UEFI Secure Boot.
I disagree, it is a terrible way and should mention that it exposes the user system to install untrusted modules at low-level.
You should mention the 2 choices :
Btw, thank you for this project. i was looking for that long ago :-)
The text was updated successfully, but these errors were encountered: